Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve errors for aws login with an unbound ARN #10036

Merged

Conversation

mikegrass
Copy link

During AWS login / renew, vault has logic to try to match the caller's identity against one of the BoundIamPrincipalARNs associated with the vault role.

The third step of this logic is to try to match any wildcard entries in the BoundIamPrincipalARNs for the vault role to the fully-resolved ARN of the caller's identity.

In some environments, especially with cross-AWS account logins, resolving the full ARN is unlikely to succeed, which leads to rather confusing error messages:

2020-08-24T01:46:41.442Z [ERROR] auth.handler: error authenticating: error="Error making API request.
URL: PUT https://vault.company.com/v1/auth/aws/login
Code: 400. Errors:
* error looking up full ARN of entity &{aws 123456789012 assumed-role  my-role some-session}: error fetching role "my-role": NoSuchEntity: The role with name my-role cannot be found.
        status code: 404, request id: f0256e67-fd5f-4e45-b457-f456570bf6bb" backoff=2.852132462

However, resolving the full ARN only needs to be done if there are any wildcard entries in BoundIamPrincipalARNs, since the full ARN is only used in that path.

This PR:

  1. Checks for wildcard entries in BoundIamPrincipalARNs before trying to resolve the full ARN. If there are none, it immediately returns with an error indicating the vault role is not bound to the caller's ARN, shortcutting the logic to resolve the full ARN (which wouldn't have been used anyway since there are no wildcard entries).
  2. Augments error messages returned in this path to include the vault role, which can be helpful information for support teams when customers copy & paste the error message from the vault login call (currently a frequently-asked follow-up question is, "which vault role were you trying to log in with?").

@hashicorp-cla
Copy link

hashicorp-cla commented Sep 24, 2020

CLA assistant check
All committers have signed the CLA.

@kalafut kalafut requested a review from calvn October 15, 2020 16:32
@calvn calvn added this to the 1.6 milestone Oct 15, 2020
@calvn calvn merged commit df7d336 into hashicorp:master Oct 22, 2020
calvn added a commit that referenced this pull request Oct 22, 2020
* Improve errors for aws login with an unbound ARN

* Factor hasWildcardBind into its own function

Co-authored-by: Calvin Leung Huang <[email protected]>
calvn added a commit that referenced this pull request Oct 22, 2020
* Improve errors for aws login with an unbound ARN

* Factor hasWildcardBind into its own function

Co-authored-by: Calvin Leung Huang <[email protected]>

Co-authored-by: Mike Grass <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants